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(54) Title: CRYPTOGRAPHIC APPARATUS AND METHOD FOR A DATA COMMUNICATION NETWORK 
(57) Abstract 



A data transmission network (12) has a plurality of 
computers (14) interconnected by a transmission channel 
(12). The computer communicates with the channel 
through a security device (16) which encrypts and decrypts 
data. The device uses a key packet distributed over the ne- 
twork from which a new key is derived by using the en- 
cryption process within the device. The encryption process 
makes use of a data sequence or "secret" peculiar to each 
domain so that the key generated in the domain is also 
peculiar to that domain. The key is changed as the encryp- 
tion proceeds and upon completion of the data trans- 
mission. Each device periodically generates a new key for 
distribution over the network. 
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CRYPTOGRAPHIC APPARATUS AND METHOD FOR 
A DATA COMMU NICATION NETWORK 



The present invention relates to a method and 
5 apparatus for encrypting and transmitting data. 

It is well-known to transfer data between 
computers or other hosts over data communication 
channels. Such hosts are arranged in networks and allow 
transfer of data between a specific pair of hosts or to 
10 all hosts in the network according to established 
protocols. ( 

It is often desirable to transmit sensitive 
data on such a network and therefore the network must be 
made secure, for example by limiting access to the hosts. 
15 Alternatively, data may be encrypted prior to transfer so 
that even if access to the network is obtained, any data 
intercepted is not meaningful . 

Various techniques are known for encrypting 
data, many of which require a correlation between an 
20 encrypting operation performed on the data as it is 

generated and a decrypting operation performed by the 
recipient. To achieve this correlation, it is usual to 
provide keys that are used in a mathematical operation 
performed on the data. Some techniques, such as public 
25 key systems, utilize different keys at the sender and 

recipient but then require multiple transfers to achieve 

a secure transmission. Such a technique, however, 

reduces the overall data transfer capacity of a network 

and would not be compatible with existing communication protocols. 
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Other techniques utilize an identical but 
secret key at each host in the security domain. This 
permits data to be transferred with a single 
transmission. However, to provide the necessary degree 
5 of security, it is preferable to change the key 

periodically so that a prolonged observation of the 
encrypted data sufficient to yield the key is not 
possible ♦ 

The provision of a new key to each of the hosts 

10 in a domain must be accomplished in a secure manner; 

otherwise, the encrypted data becomes vulnerable. It has 
been proposed to distribute keys manually, i.e. utilize 
secure couriers to provide a new key to users of the 
network but this is time-consuming, expensive and 

15 provides too long a period between updates. 

An alternative technique is to generate a key 
from a central unit and transmit it. over the network. 
This, however, requires the transmission to be secure and 
requires the central unit to be operational at all times. 

20 A failure of the central unit disables the generation of 
new keys and may render the domain vulnerable. 

It is therefore an object of the present 
invention to provide a method and apparatus for 
encrypting data that is compatible with existing 

25 communication protocols and may be utilized within a 
network environment. 
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? It is a further object to provide a method and 

apparatus for generating keys on a periodic basis for use 
in the network* 

In general terms, the present invention 
5 provides a security device at each host in a security 
domain which uses a key in combination with a specific 
mathematical function to provide an encrypting bit stream 
as data is received . The bit stream is then used in an 
encrypting function to encrypt and decrypt data as it is 

10 received. As the encryption proceeds, the key is 

modified by the mathematical function to generate the 
encrypting bit stream. 

In the preferred embodiment, the mathematical 
function includes a register containing a secure, secret 

15 bit sequence. The key is used to generate an address for 
the register and extract the contents of the register for 
use in the mathematical function. 

To transmit new keys, each device may generate 
a data packet that is used in part as the key and in part 

20 as the data in an encryption process. The resulting 

encrypted data is then used as a new key. Because the 
new key has been generated using a "secret" peculiar to 
the security domain, the key will also be peculiar to 
that domain. In this way, keys may be transmitted 

25 without encryption but still . provide distinct 
unpredictable keys in a particular domain. 
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An embodiment of the invention will now be 
described by way of example only with reference to the 
accompany drawings, in which 

Figure 1 is a schematic representation of a 
5 network having a plurality of security domains; 

Figure 2 is a representation of a security 
device used in the network of Figure 1; 

Figure 3 is a schematic representation of the 
operation of the device shown in Figure 2 to encrypt 
10 data ; 

Figure 4 is a schematic representation of the 
format of a packet distributed on the network of Figure 
l; 

Figure 5 is a schematic representation of the 
15 operation of the device shown in Figure 2 using the 
packet of Figure 4; 

Figure 6 is a schematic representation, similar 
to Figure 3, of an alternative embodiment; and 

Figure 7 is a representation of the operation 
20 of the embodiment of Figure 6 similar to Figure 5, 

GENERAL NETWORK ARRANGEMENT 
Referring to Figure 1, a local area network 10 
in Figure 1 comprises a data channel 12 to permit the 
25 transfer of packets of data between a plurality of host 
computers 14, such as a computer or computer terminal. 
Individual hosts will be identified with alphabetic 
suffixes, i.e 14a, 14b, etc- Each of the hosts 14 
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requiring a cryptographic facility is connected to the 
data channel 12 through a security device 16 which is 
operable to encrypt data transmitted by a host 14 or 
decrypt data received by the host 14 . Those hosts not 
5 requiring encryption, such as, for example, 14g are 
connected directly to the channel 12 . 

Data is transmitted in the channel in frames 
consisting of a preamble of a particular sequence of bits 
followed by a data packet. The packet consists of 

10 destination address (typically 48 bits) , a source 

address, the packet length and the information to be 
transmitted. The information will be followed by a 
cyclic redundancy check (CRC) of the data transmitted on 
the channel 12 . The format of the packet is described 

15 more fully below with reference to KEY DISTRIBUTION. 

The first bit of the destination address will 
indicate whether the packet is to be broadcast on the 
network or is to be locally directed to a particular 
host. The exchange of data between the host 14 and the 

20 security device 16 and between the device 16 and the 

channel 12 is regulated by a conventional communications 
interface 15 operating on an established protocol as is 
well known in the art and will not be described further. 
Each of the devices 16 performs a similar 

25 cryptographic operation on the data. However, to divide 
the network 10 into a plurality of distinct security 
domains 18a, 18b, indicated by chain dot lines, the 
encryption keys used in the devices 16 of each domain 18 
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are different. Thus, encrypted data may be sent between 
hosts 14 of the same domain and will be received by hosts 
of different domains. However, these other hosts will 
not decrypt the data correctly. 
5 Each of the devices 16 operates in a similar 

manner and therefore its operation in encrypting and 
decrypting data will be described in detail first. 
Thereafter, the interaction of the devices within the 
network will be described. 

10 

THE ENCRYPTION PROCESS 

Referring to Figure 2, each of the devices 16 
includes an encryption module 20 having a key register 22 
which stores a 128 bit encryption key. At any given 

15 time, the key is identical in each operable device 16 in 
the same security domain 18. As will be explained, the 
key will be changed periodically within the domain and 
will also change as the encryption proceeds. Because the 
key is changed periodically, a 32 bit key sequence number 

20 is associated with each key and stored in a register 25. 

The encryption module 2 0 operates under the 
control of the interfaces 15 to intercept data flowing 
between the host 14 and data channel 12 to perform an 
encryption process so as to encrypt and decrypt the data 

25 as it passes through the device 16. The device 16 also 

includes a key generator module 3 3 that is used to change 
periodically the key in the register 22 in a manner to be 
described below. 
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As best seen in Figure 3 , the key stored in 
register 22 is used by each of a pair of parallel 
processing paths in each device 16 indicated as "B" and 
"L" . However, only one path will be described in detail, 
5 as the processing is identical in both. 

The bits of register 22 are initially 
transferred into an active register 2 3 where they are 
subdivided into discrete groups to provide 16 8-bit 
addresses, A 0 to A 15 . Each address A contains an 8-bit 
10 word formed from 8 successive bits of the key in register 
22. 

A 1 x 256 bit register 24 is associated with 
each of the addresses A which together provide a primary 
memory 25. Each register 24 uses a respective one of the 

15 8-bit words from the active register 23 as its read 

address. The 256 bit sequence in each register 24 in the 
primary memory 25 is maintained secret prior to and after 
installation. In general, the sequence in a register 24 
is different to any other bit sequence in the other 

20 registers 24 of the same primary memory 25. In 

particular,, the bit sequence in the register 24 in path B 
associated with address A n will, in general, be different 
to the corresponding register 2 4 in path L. However, the 
bit sequence in corresponding registers 24 in different 

25 devices 16 in the same domain 18 will be the same. Thus, 
the bit sequence in register 24 in path B associated with 
address A 0 in device 16a will be identical to the bit 
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sequence in register 24 in path B associated with address 
Aq in devices 16c, 16d. 

Each register 24 outputs a single bit contained 
at the address corresponding to the bit sequence in the 
5 associated address A so that a total of 16 bits are 

outputted by registers 24 of primary memory 25. The 16 
bits are grouped into two 8 -bit words and each is used as 
the address for a respective 1 x 256 bit register 26 
which together form a secondary memory 29. The bit 
10 sequence in each of the registers 26 in the same device 
is in general different and secret. However, it is 
identical to the corresponding register 2 6 in the 
secondary memory 29 in all other devices 16 of the same 
domain 18. 

15 Each of the registers 2 6 outputs a single bit 

indicated as P,Q corresponding to the address designated 
by the 8-bit word. A pair of PQ bits is similarly 
generated from the parallel processing path L and each 
pair of bits is applied to a switch 27 which selects one 

20 of the pair of P,Q bits. If the destination address 

indicates that the packet is to be broadcast, the output 
of path B is selected, and conversely a local destination 
address ensures that path L is selected. The bits 
selected by switch 27 are applied to an exclusive OR 

25 function 28 which generates a single output bit 

identified as FEK and used to encrypt incoming data. 

The FEK bit is applied as one input to an 
exclusive OR (XOR) function 30. A bit of the data stream 
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received at the device 16 from associated host 14 to be 
encrypted is applied to the other input of XOR function 
3 0 so that the output is encrypted data that is the 
product of the exclusive OR function of the FEK bit and 
5 the data. The encrypted bit is then transmitted from the 
device 16 to the channel 12. 

The selected P and Q bits are also applied to a 
2x4 truth table 32. Table 32 produces a different 4- 
bit output for each combination of P and Q. Thus, if P 

10 and Q are both 0, the 4-bit output may be 1010, whereas 
if P is 1 and Q is 0, the output may be 0110. It is 
preferred that output combinations having two 1 1 s and two 
0's are used. 

The output of table 3 2 is replicated 4 times 

15 and distributed through a 12 8 -bit sequence that is stored 
in an adder 34. Adder 34 is used to increment the active 
register 23 so that each 8-bit cell of the register 23 
will be incremented by one bit of the output of table 32. 
Thus, if the output of truth table 3 2 is 0110, the bits 

20 in address A 0 3 4 7 a ^ 15 will not be changed but the bits in 
address A 1 2 5 6 9 10 13 1A will be incremented by 1. In the 
event that an address A^ that has all l's is incremented, 
its value will reset to all 0's with no overflow. 
Provided output combinations with an equal distribution 

25 of l ! s and 0's are used in Table 32, the bit sequence in 
half of the addresses A in the key will change and 
produce a new key in the active register 23. 
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The generation of a new FEK bit then proceeds 
using the new key in active register 23, and is XORld 
with the next bit of data. The entire packet is 
encrypted with successive FEK bits in this way, starting 
5 at the second bit of the destination address and 

proceeding until the last bit of the CRC, which is the 
last bit of the packet. The first bit of the destination 
address is not encrypted- It is used to indicate whether 
the B path ("1") or the L path ("0") was used to generate 

10 the FEK bits. 

Finally, the encrypted packet has appended to 
it a CRC field so that the encrypted packet will seem 
normal to any computers, such as 14g of Figure 1, that 
does not connect to the network 12 through a security 

15 device 16. This extra CRC has no other purpose. It is 

ignored by the security devices 16 that receive the frame 
containing the packet. 

The encrypted frame is composed of a preamble 
followed by the encrypted packet and the appended CRC. 

20 This encrypted frame is transmitted on the channel 12 in 
the normal way that unencrypted frames are transmitted. 

The same process is used to decrypt the data as 
it: is received by a security device 16 in the same domain 
on the channel 12. If a meaningful decryption can be 

25 made, the key in register 22 will correspond to the key 
first used to encrypt a bit of the packet. The FEK bit 
initially generated by the key will therefore correspond 
to the FEK bit initially used to encrypt the data. By 



BNSDOCI0:<WO 9309627A1> 



WO 93/09627 




PCT/CA92/00486 



11 

XOR'ing the incoming encrypted data bit with the same FEK 
bit, the original data is obtained* Since the XOR 
function is reversible by a second encryption with the 
same key, the original bit stream results after the 
5 decryption provided the contents of the secret registers 
24,26 are the same in the decrypting device as they were 
in the encrypting device. 

An attempt to decrypt the data packet with a 
device 16 from another domain will not succeed as the bit 

10 sequences in the registers 2 4 and 2 6 will differ. Thus, 
the same key will produce a different sequence of FEKs 
and will not correctly decrypt the data. This will be. 
apparent from a comparison of the CRC included in the 
encrypted data and that obtained after decryption. 

15 After the encryption and decryption has been 

successfully completed for a packet, each 4-word span of 
the key stored in register 22 in each of the devices 16 
is incremented by the key sequence number stored in 
register 25, The newly generated key is then transferred 

20 to the active register 2 3 upon receipt of the next 
packet . 

Thus many packets may be encrypted from the 
same initial key with the key changing bit by bit within 
a packet and also changing on a packet-to-packet basis. 

25 

OPERATION WITHIN A NETWORK 
The destination address of a data packet will 
indicate whether the data is to be broadcast to each host 
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14 within a domain or to a specific host, i.e. local 
transfer, within the domain. 

Where the data is to be broadcast, each host 14 
within the domain will receive the data decrypted by its 
5 associated device 16 and, upon completion of the packet, 
will update the key in register 22. Devices 16 
associated with hosts outside the domain will also 
receive the data packet but an attempt to decrypt the 
data will result in an incorrect CRC because the secret 

10 in their broadcast path B is different. 

There is an important difference in the 
operation of the security device 16 when it is decrypting 
a packet using the L path rather than the B path. In 
this case, the decrypted destination address that is 

15 generated bit-by-bit is compared bitwise with the network 
address of the associated computer 14 to which the frame 
containing the decrypted packet is being sent. As this 
bitwise comparison is taking place, the first 47 bits of 
the destination address of the associated computer 

20 replace the actual destination bits of the packet and are 
forwarded to the computer in their place. 

If the result of the bitwise comparison shows 
that the decrypted destination address is exactly that of 
the associated computer 14, the 48th and last bit of its 

25 own destination address is sent to the computer, and the 
decrypted packet is sent bit-by-bit to the computer up to 
but not including the CRC that was added during 
encryption. 
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If the result of the bitwise comparison shows 
that any bit of the decrypted destination address in the 
incoming packet differed from- the corresponding bit in 
the network address of the computer, the 4 8th and last 
5 bit of the destination address that is sent to the 

computer is the complement of the 4 8th bit of the last 
bit of its network address, and a standard pattern of 
bits, one pattern bit for each incoming packet bit, is 
forwarded to the computer 14 instead of the decrypted 

10 packet. The standard pattern is followed by an 

appropriate and correct CRC at the point where the CRC 
appears in the packet before encryption . The standard 
pattern is preferably chosen to make this CRC easier to 
compute. Once the transmission is complete, the key 

15 register 22 in all devices that have seen a complete 

packet with a correct CRC 16 are updated as previously 
described. In this way, the key in the register 22 
remains the same for each device 16 in a domain even 
though the data packet is only decrypted by one device in 

2 0 the domain. 

If for some reason the transmission is 
interrupted, no change is made to the key in register 22. 

As noted above, each encrypted packet includes 
a CRC of the data as transmitted. This permits hosts 

25 without a device 16, such as host 14g, to process the 
packet through its interface and also permits the 
distribution of unencrypted packets throughout the 
network as may be desirable but only among those 
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computers not attached to the network through a security 
device 16. 

KEY DISTRIBUTION 
5 To utilize the above encryption process, it is 

necessary to generate an identical key in each device 16 
in the same domain 18. It is also preferable that the 
key in each domain is different. The encryption process 
described above is utilized in the periodic generation of 

10 a new key within a domain as shown in Figures 2 and 4. 

The key generation module 3 3 in each device 16 
is used to generate periodically a key distribution 
packet that is transmitted over the data channel 12 and 
processed by the devices 16 in the same domain to 

15 generate a new key in a manner to be described below 

assuming that one of the devices 16 has control of the 
channel 12 in a collision-free manner. 

The key distribution packet must be compatible 
with normal data packets and therefore has a similar 

20 format. However, indicators within the packet are used 
to identify it to other devices 16 as a key distribution 
packet and ensure that it is processed by the module 3 3 
to generate the new key. 

The format of a data packet produced by the key 

25 generator module 3 3 is shown in Figure 4. Each packet 

has a minimum bit length (in this example, 512 bits) and 
is arranged in notional blocks of bits. The packet will 
of course be preceded by a preamble as is usual. 
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The first two blocks of the packet, whether 
used for normal data transfer or key distribution, are 
each 48 bits and are respectively the destination address 
block 35 and the source address block 36. When normal 
5 data is to be transmitted, each address block 35,36 will 
be a 48 bit code indicative of the destination and source 
computer respectively. The first bit of destination 
address block 3 5 indicates whether or not the packet is 
to be processed by the broadcast path B, indicated with a 

10 "1", or by the local path L, indicated with a "0" . The 
second bit of the addresses 3 5,36 is used to indicate 
whether or not the frame identification is under local 
control (1) or is a worldwide unique code (0) • With a. 
normal data packet, worldwide unique codes will be 

15 indicated and followed by a 4 6-bit host computer address. 

Where the data packet is directed to a specific 
address, the destination address block 3 5 would commence 
with 00 or 01 and is followed by a 46 bit address for the 
recipient host computer 14. However, if the data packet 

20 is to be broadcast over the network, the destination 

address block 3 5 would be constituted by a 1 followed by 
47 bits, typically all "l's". 

A source address block 36 follows the 
destination address block 3 5 and is used to indicate the 

25 origin of the data packet. The source address will 

always begin with an "00" or "01" and will be followed by 
a 46 bit identifier code uniquely identifying the source 
computer. 
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To distribute a new key in a security domain, a 
key distribution packet (KDP) is generated by module 33. 
Module 33 has special address contents for both 
destination address and source address stored in an 
5 address register 51 in the module 3 3 and is recognized as 
a key distribution packet by these contents. The 
destination address of a KE coul* s 48 "1 its, 
indicating a broadcast packet but is pref; red to use 
a special destination address peculiar to a KDP. The 

10 source address 3 6 of a KDP is a specific bit pattern, 

beginning with "00" and followed by a 4 6 -bit identifier 
code reserved for this purpose. The 48 bits of the 
destination address and 4 6 bits for the source address 
can be chosen during device manufacture. They will, 

15 however, be worldwide unique to a particular network; 

that is, all the devices 16 attached to the network and 
intended to change their keys synchronously will be 
identified with the same code. Typically, this will be 
limited to single domain - 

20 The worldwide uniqueness of the identifier 

codes is assured because these bit combinations are 
regulated by an international organization such as the 
IEEE. In the present case, the identifier code used as 
the destination and source address will be indicative of 

25 a message originating at a security device 16 and 

therefore is a prime indication that the packet is a key 
distribution packet. Therefore, by using the 4 8 -bit 
destination and source addresses, it is possible to 
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distinguish a key distribution packet from a normal data 
packet . 

The packet length is indicated by a 16-bit 
packet length block 3 7 which, with normal data packets, 
5 precedes the information to be transmitted. When the 

packet is a key distribution packet, however, the packet 
length block 37 is followed by a 32-bit key sequence 
number block 3 8 derived from the key sequence register 2 5 
in encryption module 20 of the device 16 generating the 

10 KDP. The data in key sequence number register 2 5 is 

incremented by 1 for insertion in block 3 8 so that as the 
keys are updated in a domain 18, the key sequence number 
used in that domain changes in a controlled manner. Each 
host computer in the same domain should be operating with 

15 the same key sequence number. 

The key sequence number block 3 8 is followed by 
a 96 bit data block 40 and a 128-bit. data block 42 
separated by a fixed length padding block 45. The data 
in blocks 40,42,45 is generated pseudo-randomly by a 

20 random number generator 5 3 in the key generator module 3 3 
in the security device 16 that originated the KDP. 

The next data block 43 is 128 bits long, also 
obtained from the random number generator 53 in the 
security device 16 that originated the KDP. It is 

25 followed by a fixed length padding block 45 and a data 

field called the CRC frame integrity block 44 derived by 
the transmitting security device 16 during transmission 
of the KDP. 
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As the key distribution packet is transmitted, 
the CRC frame integrity block 44 has to be generated and 
this is done by utilizing the encryption module 20 in the 
generating security device . As shown in Figure 4, the 
5 key sequence number 38 and the data block 40, totalling 
128 bits, are loaded into the key register 23. The 
normal FEK encryption mechanism 20 is used, with the B 
path selected by switch 27, to encrypt the incoming 128 
bit data block 42 and to place the 128 bit result into a 

10 holding register 50 in module 33. The contents of 

register 50 are then transferred to register 23, and this 
new key is used to encrypt data block 43. A cyclic 
redundancy check (CRC) of these encrypted bits is 
performed as the encryption proceeds and is used as the 

15 transmitted frame integrity block 44. 

Data blocks 40, 42, 43 and 44 are separated by 
the fixed length fields 4 5 to allow time for processing 
in the originating and receiving security devices 16. 

The packet is completed by a padding block 4 6 

20 to satisfy the minimum length requirements of the 

protocol and a 32 bit CRC block 48 that is generated from 
the bits of the packet as transmitted to check for error- 
free transmission. 



KEY GENERATION 
The key generator module 3 3 is activated to 
transmit a key distribution packet under the control of a 
timer 62 and attempts to gain access to the line 12. 
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Assuming that access is obtained, the key distribution 
packet is generated and transmitted over link 12 to be 
received at other security devices 16 on the channel 12 . 
It is identified by each of the security devices 16 as a 
5 KDP because of the bit combination of the broadcast 

destination address 35 and the source address block 36. 
The key sequence number in block 3 8 is compared with that 
in register 25 in the receiving security device 16 and if 
the new key sequence number is greater than the existing 

10 one, the production of a new key proceeds- If the key 

sequence number is not greater than the existing one, the 
KDP will be ignored. Throughout the generation of the 
key, the device 16 will maintain a data stream to the . 
associated host 14 to prevent generation of new packets 

15 from the computer interfering with the key generation. 

A similar process is followed to that used to 
generate the CRC frame integrity block 44 to generate a 
new key. At each of the receiving devices 16 having the 
correct correlation of key sequence numbers, the new key 

20 sequence number block 38 and data block 4 0 are loaded 
into the register 2 3 and used as the active key to 
encrypt the data block 42. The resulting encrypted data 
is stored in the register 50 as the potential new key 
which should correspond with the contents of the register 

25 50 in the generating device 16. To check for the 
integrity of the transmission and encryption, the 
contents of register 50 are transferred to the active 
register 23 and used as the key to encrypt the data block 
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43. As the encryption proceeds, a CRC is performed on 
the 128 bits of the block 43 and the result compared with 
the frame integrity block 44. If these are identical, 
the transmitting and receiving security devices must have 
5 the same B path memories 24,26 contents, and assuming 

physical security is adequate, the receiving device 16 is 
in the same domain as the generating device 16 and the 
contents of register 50 are transferred to the register 
22. The key sequence number in register 25 is also 

10 replaced by the new key sequence number and each device 
in the same domain is operating with a new but identical 
key. Thereafter, normal data may be transferred within 
the domain. 

It will be noted that although the key 

15 generator data packet is broadcast throughout the network 
10, a secure key is generated in each security domain by 
virtue of the unique secure bit sequences used to 
generate the FEK bit. If a packet appears to be a KDP 
but its key sequence number is not greater than the 

20 sequence number of the key it is using, or if a packet 
appears to be a KDP but the integrity block 44 does not 
satisfy the comparison described, or if the packet 
appears to be a KDP but the overall packet CRC does not 
work out as it should, then some flaw has been detected 

25 in the packet. In all cases, invalid key sequence 

number, invalid integrity block 44, or invalid packet 
CRC, the packet is ignored and no change is made to the 
key register 22 or key sequence number 25. 
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PERIODIC GENERATION OF KEY DISTRIBUTION PACKET 
AND INITIALIZATION 

The above process assumes that a key 

distribution packet is received periodically and it is a 

5 particular benefit of the present system that each of the 

security devices 16 has the capability of generating a 

key distribution packet. It is, however, possible to 

provide a central control to generate such packets if 

preferred. 

10 Because each of the devices 16 has the 

capability of generating a new key, the timer 62 in key 
generation module has a variable countdown period to 
ensure that one device 16 does not monopolize generation 
of the key distribution packets. After a particular 

15 device has gained access to the channel 12 and 

transmitted a new key, timer 62 of that device 16 is 
reset to an initial period (60-j<5) seconds where S is an 
arbitrary time, e.g. 100 ^s , and j is an integer that 
initially is zero. 

20 Each time a new key distribution packet is 

received by the device 16 and processed by the key 
generation module, a signal is also applied to the timer 
62 to increase the value of j by 1, i.e. decrease the 
interval set by the timer 62. Thus, as other devices 16 

25 generate key distribution packet's, the interval set by 
timer 62 will progressively decrease and ensure that 
eventually its associated device 16 will gain access. Of 
course, once access is obtained, a reset signal resets 
timer 62 to the initial maximum countdown period. If a 
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collision is detected during transmission of the key 
generation packet, the timer 62 is reset to its previous 
value. This preserves the status of the device 16 in the 
key generation process and also avoids progressively 
5 decreasing intervals between unsuccessful attempts. This 
would tend to cram a network being utilized near its 
maximum capacity. 

Because hosts 14 can be connected or 
disconnected from the network at any time, it has to be 

10 recognized that after connection or reconnection, an 

initialization period is required before the device 16 
will operate with the same key as other devices in the 
same domain. To mitigate the possibility of a newly- 
connected host 14 from gaining access and generating a 

15 key, the timer 62 is conditioned to calculate an 

increasing time-out interval. At initialization, timer 
62 sets the timeout counter at (60+jf) seconds where C is 
a function of the serial number of the unit 16 in which 
the module 3 3 is located. This will always be greater 

20 than the interval set by the counter 62 of a previously 
connected host 14 and therefore a new key will be 
received before the timer of the new device counts down. 
When receiving the new key distribution packet, the 
discrepancy between key serial numbers is ignored and, 

25 provided the CRC frame integrity blocks 44 are the same, 
indicating a common domain, the transmitted key serial 
number is adopted and entered in the register 25. 
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GENERAL OPERATION 
In operation, therefore, a host 14 that wishes 
to transmit data over the channel 12 will monitor network 
usage through the interfaces 15. 
5 According to its normal protocol, it will 

choose a time to transmit the frame containing the packet 
so as to minimize interference with other such frames. 
As the frame is received in the security device 16, it is 
encrypted by the encryption unit 2 0 and transmitted on 

10 the network 12. The first bit of the destination address 
is not encrypted so that when it is received, it can be 
identified as a broadcast packet , encrypted through the B 
path of the unit 2 0 or a local packet, encrypted through 
the L path of the FEK unit. 

15 The received data is decrypted by the 

decryption unit 20 and its destination address 35 
examined to determine if it is intended for the 
associated host 14. If it is, the decrypted data passes 
through the communications interface 15 to the host 14. 

20 If the destination address indicates that the message is 
not intended for the associated host 14, the packet is 
ignored but the interface unit 15 maintains a data stream 
to the host to prevent the host requesting access to the 
link 12 and initiating a collision. 

25 Data received by devices 16 or unprotected 

hosts 14 outside the security domain of the originating 
host 14 will not be able to decrypt the data as the keys 
and the contents of registers 2 4,26 will differ. 
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When one of the timers 62 finishes its 
countdown, a signal requesting access to the channel 12 
is sent to the interface 15. If the data channel 12 is 
busy, the access is refused and the timer is reset to its 
5 previous value. If the data channel 12 is available, the 
generation of a key generation packet is initiated and 
transmitted over the channel 12. Devices 16 in the same 
domain will recognize it as a key generation packet and 
proceed to generate a new key as detailed above. Once 

10 transmission has been completed, the timer 62 is reset to 
the maximum period and the timers 62 in each of the other 
devices are rest to a reduced interval. 

It will be seen, therefore, that the network 10 
is self-sustaining in that new keys may be periodically 

15 generated by any of the security devices 16. The 

generation of different keys in each security domain 
enables a key generator packet to be broadcast throughout 
the network from any of the devices without compromising 
the security. The integrity of the domain is maintained 

20 by ensuring that the devices 16 are tamperproof and do 

not require modification of the hosts 14 or data channel 
12. The encryption algorithm ensures progressively 
varying encryption keys that are periodically changed and 
therefore, in practical terms, entirely secure. 

25 

ALTERNATIVE CONFIGURATIONS 
As described above, the secrets in registers 24 
and 26 in broadcast path and local path of domain are 
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different to those of other domains. This means that the 
keys are generated on a domain-by-domain basis. In 
certain instances, it may be desirable to have a common 
key throughout a network but still retain separate 
5 domains. The present arrangement has the flexibility to 
accomodate this by providing common registers in the 
broadcast path of all domains but retaining differences 
between domains in the local path. The key distribution 
packet will then be recognized and processable by all 
10 devices 16 in the network to generate a common key 

provided its CRC block 4 4 is derived from an encryption 
in the B path. Even though a common key is used, secure 
transmission can still occur within the domain by using 
the local path. 

15 

SECOND EMBODIMENT 
A further embodiment of the security device 16 
is shown in Figures 6 and 7, with Figure 6 schematically 
illustrating its operation during encryption and 
20 decryption, and Figure 7 illustrating the generation of 
and distribution of new keys. Components having a 
similar function to those described in the embodiments of 
Figures 1 through 5 will be identified with like 
reference numerals with a suffix "a" added for clarity. 



25 



FEK BIT GENERATION 
Referring therefore to Figure 6, an active 
register 2 3a is formed from three linear recurring 



BNSDOCID: <WO 9309627A1> 



WO 93/09627 




PCT/CA92/00486 



26 

sequence registers (LRS) each of which contains a portion 
of the key. The LRS register is a commercially available 
register having the facility for internal feedback 
connections between cells of the register and may be 
5 arranged to ensure that no repetition of the sequence 
within the register occurs within 2 32 bits. Such 
registers are readily available. 

A first register 70 is identified as the key 
distribution frame (KDF) register and contains the key 

10 distribution frame sequence number that is transmitted 
with a key distribution frame as will be described in 
further detail below. The second register 72 is 
identified as a successful frame count register (SFC) and 
its contents are initially derived from the transmission 

15 of a key distribution frame. The contents of the SFC 
register 72 are incremented after a frame has been 
transmitted and for the purposes of the protocol, it is 
assumed that the transmission of 512 bits indicates that 
a frame has been transmitted successfully. The count in 

20 the SFT register 72 is incremented after each frame. 

The third register 74 is identified as the FEK 
bit count register (FBC) and its contents are also 
generated during distribution of a key distribution 
frame. The contents of the FBC register 74 are 

25 incremented by 1 after each generation of a FEK bit so 

that during transmission of a frame, the contents of the 
FBC register 74 are continuously changing. A backup 
register 76 stores the initial value of the FBC register 
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74 and reloads it after the transmission of each frame. 
This is necessary as the contents of the FBC register 
will be incremented even if the transmission of the frame 
is terminated due to a collision with another frame and 
5 so the contents of the register 74 in one security device 
would, differ from that in other security devices in the 
same domain. Accordingly, by reloading the initial value 
of the FBC register at the start of each frame, all 
devices in the domain will have the same contents for the 

10 active register 23. 

The contents of the active register 23 are used 
to derive an address for each of the columns in a primary 
memory 25a. Each column 24a of memory 25a corresponds to 
a register 24 shown in Figure 3 and provides a single bit 

15 output for each address. The address for each column 24a 
is derived from a 9 6 bit address register 78 which 
receives the bits of each of the registers 70,72,74. The 
bits of the registers 70 through 74 are interleaved in 
the primary memory address 78 such that two bits from the 

20 register 70 are followed by two bits from the register 72 
which in turn is followed by two bits from the register 
74. Six such bits are then grouped to provide a six-bit 
address for a respective register 24a. Each of the 
columns 24a has a distribution of l f s and 0 f s which is 

25 approximately equal and each of the columns 24a has a 

combination that is secret and preferably different from 
any other column in the primary memory 2 5a. As before, 
however, each of the columns 2 4a in one of the devices 16 
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will have a corresponding register 24a in another of the 
devices 16 in the same domain and sharing the same 
secret. 

The output from the primary memory 25a is a 
5 16-bit address which is used to address a 1 x 2 16 

secondary memory 29a. The contents of the secondary 
memory 29a are also secret but identical with other 
devices in the same domain and have a substantially equal 
distribution of I's and O's within the memory. The 

10 output from the secondary memory 29a is a single FEK bit 
which is exclusive OR'D at the XOR function 3 0a with 
incoming data. Encrypted data is then transmitted as the 
outgoing bit stream. 

Upon successful transmission of 512 bits, a 

15 frame detector 80 assumes that a successful frame 

transmission has occurred and, upon detection of the 
start of the next frame, will increment the contents of 
the SFC register 72 by 1. The detection of a start frame 
delimiting pattern in the preamble of a frame will also 

20 reload the contents of the FBC register 7 4 so that the 
initial address in the primary memory address 78 will 
differ from frame to frame. The contents of the KDF 
sequence number register 70 remain constant until such 
time as a new key is distributed over the network. It 

25 will be seen, however, that the FEK bit is generated from 
a dynamic key to generate the addresses for two memories, 
the contents of which are secret. 
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KEY GENERATION 
The generation of the key is again accomplished 
by any of the security devices 16 as will be described 
with reference to Figure 7. The format of the frame 
5 distribution packet is generally similar to that shown in 
Figure 4 and includes a preamble followed by a start 
frame delimiter sequence followed by a destination 
address 35a. The destination address 35a indicates that 
the frame is to be broadcast within the domain and is 

10 followed by a source address 3 6a* The source address 3 6a 
is derived from a register equivalent to the address 
register 51 in Figure 2 and identifies to the recipients 
of the frame that the frame is a key distribution packet. 
The recognition of the source address 3 6a causes the 

15 contents of the registers 70,72,74 to be temporarily 

stored in parallel registers 703,723,743 so that if the 
frame is not correctly received, the previous contents of 
the active register 23a can be restored. 

The recognition of the source address 36a also 

20 initializes the LRS 70,72,74 so that they contain a full 
count of l's. A pad 37a is provided between the source 
address and the KDF sequence number 38a to allow for the 
initialization of the registers. The KDF sequence number 
is the contents of the KDF register 7 0 incremented by 1 

25 and is initially compared with the existing contents of 

the register 70 to ensure that it is a valid key sequence 
number. Assuming that it is, the new key distribution 
sequence number 38a is loaded into the KDF register 70. 
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The KDF sequence number 3 8a is a 64 -bit sequence which is 
loaded into the register to initialize a new sequence of 
bits in the register. This sequence will be identical 
for each device 16 in the same domain. The contents of 
5 the registers 72 and 74 are still all I's. 

A pad is provided after the KDF and is then 
followed by a data field 40a. The data field 40a is a 
random sequence of 64 bits generated by the random number 
generator 53 in Figure 2. This sequence of bits is fed 
10 through the X0R 30a and encrypted by a sequence of FEK 
bits produced using the contents of the registers 
70,72,74 to generate the addresses for memories 25a and 
29a. 

The first 32 bits of encrypted data are fed 
15 into the SFC register 72 to generate a new SFC. At the 

same time, the generation of a FEK bit from the secondary 
memory 82 also increments the FBC register 74 so that its 
contents are changing as the first 3 2 bits are fed 
through the XOR gate 3 0a- 
20 The next 3 2 bits are also encrypted and are 

exclusive OR 1 D with the FEK bit count to increment the 
FBC register 74. 

After the random data 40a has been processed, 
the frame distribution packet includes a pad 45a followed 
25 by a data field 42a made up of 512 bits generated by the 
random number generator 53 . The purpose of the second 
data field 42a is to check the integrity of the frame 
distribution packet by means of the integrity CRC 44a 
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appended to the packet. This check is done, and indeed 
the ICRC 44a is generated using an ICRC generator 84 
which is a 32-bit LRS register similar to that used for 
the registers 70,72,74. Each of the bits of the random 
5 field 42a is encrypted with the FEK bit by the XOR gate 
30a and fed to the ICRC generator 84. This is initially 
set at a full count - that is, all l's - and is 
incremented by the value of the encrypted bit. At the 
end of the data field 4 2a, the contents of the ICRC 

10 generator 84 should match those of the ICRC field 44a. 
The contents are compared, and if the patterns are 
identical, it is assumed that the frame distribution 
packet has been transmitted satisfactorily. The value of 
the FBC register 74 is then stored in the FBC register 76 

15 and the contents of the registers 70,72,74 operate as the 
new key. 

If for some reason the ICRCs do not match, the 
values in the registers 70,72,74 are deleted and the 
previous values temporarily stored in registers 

20 70a, 72a, 74a are replaced until a new frame distribution 
packet is recognized. 

It will of course be understood that the 
generation of a frame distribution packet is essentially 
the same with the destination data 3 5a, source data 3 6a, 

25 key sequence number 3 8a and the random data provided by 
the frame distribution module 33. Again, therefore, the 
encryption module 2 0a is utilized to generate a new key 



BNSDOCID:<WO 9309627A1> 



WO 93/09627 




PCI7CA92/00486 



32 

both for transmission and for reception in each register 
in the same domain. 

If the frame distribution packet is received in 
another domain, the primary memory and secondary memory 
5 25a, 29a will have different secrets and therefore will 
not generate a new key in which the ICRCs are matched. 
This is because the ICRC is generated using the 
encryption keys that are peculiar to a particular domain. 
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We claim: 

1. A data communication system comprising a 
plurality of hosts interconnected by a communications 

5 channel to allow data transfer therebetween, at least 

some of the hosts having a cryptographic security device 
associated therewith to organize said hosts into a common 
security domain, said device having an encryption 
function operable to encrypt data transmitted through tiie 

10 channel to other hosts in said domain and decrypt data 
received through the channel from other hosts in the 
domain, a packet generating function to generate and 
distribute on said channel a key distribution packet, and 
a key generation function to receive said key 

15 distribution packet and generate therefrom an encryption 
key for said encryption function that is common to each 
host in said domain. 

2. A data communication system according to claim 
20 1 wherein said key distribution packet includes an 

identifier to distinguish said key distribution packet 
from other data packets and each of said devices includes 
means responsive to said identifier to direct said key 
generator data packet to said key generating function, 

25 

3. A data communication system according to claim 
1 wherein said packet generating function in each device 
operates periodically to request access to said channel. 
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4. a data communication system according to claim 

3 wherein said packet generating function includes a 
timer to determine the interval between requests for 
access to said channel. 

5 

5. a data communication system according to claim 

4 wherein said timer is adjustable and intervals between 
requests progressively decrease until access to said 
channel is obtained. 

10 

6. a data communication system according to claim 

5 wherein said interval is decreased upon receipt of a 
key distribution packet from another device and 
generation of a new key therefrom. 

15 

7. a data communication system according to claim 
1 wherein said key distribution packet includes first and 
second portions , said first portion being utilized by 
said key generation function as a key in said encryption 

20 function to encrypt said second portion and thereby 
provide a new key for said encryption unit. 

8. A data communication system according to claim 
7 wherein said key distribution packet includes a check 

25 function obtained by encryption of a portion of said key 
distribution packet by said new key. 
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9. A data communication system according to claim 

8 wherein said key generator packet includes a third 
portion to be encrypted by said new key to generate said 
check function. 

5 

10. A data communication system according to claim 

9 wherein said first, second and third portions are 
generated by a pseudo random number generator within said 
packet generating function. 

10 

11. A data communication system according to claim 
1 wherein each of said encryption functions has a key ; , 
serial number associated therewith and indicative of the 
key utilized by said encryption function, said key 

15 distribution packet including an indicator derived from 

said key serial number and providing a means to associate 
devices utilizing a common key. 

12. A data communication system according to claim 
20 11 wherein said indicator is included in one of said 

portions. 

13. A data communication system according to claim 
6 wherein said timer is reset to a predetermined maximum 

25 upon a device associated therewith transmitting a key 
distribution packet to other hosts in said domain. 
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14. a data communication system according to claim 

13 wherein said timer is set to a period exceeding said 
maximum upon connection of said device to said system. 

5 15. A method of distributing an encryption key in a 

data communication network having a plurality of host 
interconnected by a data communication channel and each 
host having an encryption function associated therewith 
comprising the steps of transmitting on said network a 
10 key distribution packet, utilizing a first portion of 
said packet as a key in said encryption function, 
encrypting a second portion of said packet by said 
encryption function with said first portion utilized as 
said key and using the encrypted data as a new key. 

15 

16. A method according to claim 15 including the 
step of comparing a check function derived from said, new 
key with a check function contained in said key 
distribution packet to confirm an identity of encryption 

20 function between a device generating said key 

distribution packet and a device receiving said key 
distribution packet. 

17. A method according to claim 16 including the 
25 step of utilizing said first and second portions of said 

key distribution packet as a key and data respectively in 
said generating device to provide a new key, utilizing a 
third portion of said packet as data to be encrypted by 
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said new key, deriving from the encrypted data a check 
function and including said check function in said key 
distribution packet for comparison with a check function 
similarly derived at said receiving device. 

5 

18. A method of encrypting data for transmission on 

a communication channel comprising the steps of 
establishing a key having a plurality of bits, grouping 
selected ones of said bits to provide an address for 

10 accessing a register containing data, outputting the data 
contained at that address, utilizing the data in a 
predetermined manner to provide a bit to encrypt a 
corresponding bit of the data to be encrypted, and 
modifying the key in a manner derived from the generation 

15 of the encryption bit to provide a different bit sequence 
at said key to generate a different address for said 
register when generating the next encryption bit. 

20. A method according to claim 18 wherein the 

2 0 output from said register is util ized as at least one bit 
of an address for a further register, the output from the 
further register being utilized to generate said 
encryption bit. 

25 21. A method according to claim 18 wherein a 

plurality of discrete groups are formed from said key and 
a register is associated with each group. 
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22. A method according to claim 21 wherein outputs 
of said registers associated with said groups are 
organized to provide an address for each of a set of 
further registers, each which provides an output from 

5 which the encryption bit is utilized. 

23 . A method according to claim 22 wherein said set 
of further registers includes a pair of registers each of 
which provides a single bit output. 

10 

24. a method according to claim 23 wherein said 
bits are combined to produce said encryption bit. 

25. A method according to claim 24 wherein said 
15 bits are combined by an exclusive OR function. 

26. A method according to claim 22 wherein said 
outputs are utilized to determine the modification of 
said key. 



20 



27. A method according to claim 22 wherein the 

outputs determine which of said bits of said key are to 
be changed. 
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